(Early-stage non-public draft of event agenda)

Free and Safe in Cyberspace –
San Francisco Edition 2016

We are told daily by nearly all privacy experts and government officials that we must to choose between meaningful personal privacy and enabling lawfully authorized and constitutional cyber-investigations. But both are essential to democracy and freedom. What if safe and freedom were not an “either or” choice, but primarily a solvable “both or neither” challenge?

Recent evidence suggests that nearly all IT devices and services are remotely, undetectably and scalably hackable by several actors, through state-sanctioned or state-mandated backdoors.

As a consequence, EU and US IT companies are struggling to find ways to offer the levels of trustworthiness that both customers and constitutions require, by differentiating themselves sustainably on the basis of provable and meanigfully-higher levels of trustworthiness. Meanwhile, citizens, corporation and public institutions are unable to access, at whatever cost, the levels of security that they need and demand.

Are key assets and capabilities of nations’ law enforcement, defense and intelligence themselves highly vulnerable to attackers – foreign, domestic and internal – due to the lack of sufficiently comprehensive, translucent and accountable socio-technical standards, such as in IT facility access, device fabrication or assembly? How vulnerable are AI-driven autonomous IT systems, moveable and not, to attacks via their critical socio-technical low-level subsystems?

How far can the extreme application of the principles of accountability, transparency, oversight and extreme verification relative to complexity, to all and every critical component and process in the entire lifecycle of a given IT service or experience, in concurrently solving those 2 challenges?

Aims

Our aims to catalyse a constructive dialogue and a wide informed consensus on new international standards and certification governance bodies for ultra-high assurance IT systems and life-cycles – for communications, constitutional lawful access and autonomous systems – to deliver access to unprecedented and constitutionally– meaningful e-privacy and e-security to all, while increasing public safetyand cyber-investigation capabilities.

Past Editions

On Sept 24-25th 2015, the 1st EU Edition 2015 was held in Brussels, with attracted amazing speakers, including the most recognized IT security experts of Europe and the US – including Bruce Schneier, Bart Preneel, Richard Stallman, Steven Bellovin – and the most relevant EU defense, IT security and R&D institutions – such as the Head of Information Superiority of the European Defence Agency, the Deputy European Data Protection Supervisor, the Deputy Head of Security & Trust of EU DG Connect, Exec. Dir. of ECSEL-JU, Senior Executive of the Future of Humanity Institute, and Melle Van Den Berg ofCapGemini Netherlands. See the the report and the program with videos.

On Oct 16th 2015, a smaller 1/2-day Latin American Edition was then held in Iguazu, Brazil, with distinguished the minister of IT of Brazil, Marcos Mazoni, and a high-ranking official of the Brazilian Cyber Command, and the CEO of the most advanced crypto company in Brazil, Kryptus.

On July 21st 2016, a 1st US Edition 2016 was held in New York with amazing confirmed speakers, including Joe Cannataci, the UN Special Rapporteur on the Right of Privacy, and Max Schrems, the Austrian privacy activist behind the overhaul of Safe Harbor Agreement.

On Sept 22-23, a 2nd EU Edition 2016 was held in Brussels with the participation of an amazing set of speakers, including the CIO of Austria, the Vice-Chair of the EU Parliament LIBE Committee, the Head of R&D of the Italian Banking Association, the Head of R&D of the France Nuclear Agency.

A Primer on the Challenges

After Snowden and recent notable breachs, it has become clear that the presence of remotely exploitable vulnerabilities in such systems – and their wide-spread access to malicious actors – are originated primarily by a relatively very low of level engineering and verification relative to system complexity, but also by the huge investment of powerful states to create, purchase and discover such vulnerabilities – from fabrication to standard setting – in order to ensure access to every internet connected device to pursue non-localizaeble suspects, according to due legal process.

Can the paradigm “Trust but verify” still be a sufficient when the bribery, threatening or identity theft of a single person (rarely 2), in key role in the lifecyle of a single critical component or process, can enable concurrent compromisation of every instance of a given critical IT system, including communication, state surveillance, or autonoumous moveable devices? Should the paradigm rather be “Trust or verify”, by deepening and extending oversight all the way to CPU designs and fabrication oversight? But how can that be made economical for wide spread adoption and compatible with feature and performance needs?

We are told daily by nearly all privacy experts and government officials that we must to choose between meaningful personal privacy and enabling lawfully authorized cyber-investigations. But both are essential to democracy and freedom. What if it was not a choice of “either or”, a zero-sum game, but instead primarily a “both or neither” challenge, yet to be proven unfeasible?

What if safe and freedom were not an “either or” choice, but a “both or neither” challenge?
A challenge that we can tackle simply by applying completely and thorougly widely shared principals of accountability, transparency, oversight and extreme verification relative to complexity, to all and every critical component and process in the entire lifecycle?

Are key assets and capabilities of nations’ law enforcement, defense and intelligence themselves highly vulnerable to attackers – foreign, domestic and internal – due to the lack of sufficiently comprehensive, translucent and accountable socio-technical standards, such as in IT facility access, device fabrication or assembly? How vulnerable are AI-driven autonomous IT systems, moveable and not, to attacks via their critical socio-technical low-level subsystems?

What if the extreme and comprehensive safeguards – technological and prganizational, that we need to achieve such levels of trustworthiness (i.e. assurance) are mostly the same that would allow ICT providers to compliance mechanisms to lawful access requests, voluntarily (i.e. in addition to what’s required by selected jurisdictions), without significantly increasing risks for the privacy of users nor for public safety?

Footnotes

* “High-assurance” is a term in the field of IT security and privacy reserved to those IT systems, devices, components, life-cycles, supply chains that provide the highest level of confidentiality, integrity and/or availability, often aimed at niche sub-markets but at times to mass-markets. But recent revelation have clearly proven their inadequacy, hence the need to create a new term ultra-high assurance IT.

[1] Is it feasible to provide citizens with affordable and user-friendly ICT with levels of trustworthiness that are meaningfully-abiding to the UN and EU Charter of Fundamental Rights, as a supplement to their every-day computing devices? If so, how? What scale of investments, standards, standard setting and certifications processes are needed?

[2] Can providers of ultra-high assurance ICT devise compliance mechanisms to lawful access requests, voluntarily (i.e. in addition to what’s required by selected jurisdictions), without significantly increasing risks for the privacy of users nor for public safety? If so, how? What are the core paradigms of such certification processes? What are the legal constraints in EU and US?

[3] What is the potential of the application of ultra-high assurance IT paradigms and technologies – applied to critical client and server endpoints – to complement blockchain technologies to radically improve the confidentiality and integrity of financial transaction? What is their wider economic potential for startup and silicon manufacturing in the Valley?